Obviously, protecting against credit card fraud means protecting the data itself. But regardless of how much security is applied directly to that information, cybercriminals can still get their hands on it via the physical devices through which the data is transmitted.
That’s why, on June 30, new PCI DSS (Payment Card Industry Data Security Standard) requirements were put in place that necessitate merchants to protect those very devices.
Specifically, Section 9.9 of PCI DSS 3.1 — which addresses protection of “devices that capture payment card data via direct physical interaction with the card from tampering and substitution” — requires mid- to large-size retailers to track, among however many thousands of them exist in their ranks: the makes and models of devices; the device locations, and the device serial numbers (or other unique identifiers).
Joe Majka, Vice President & Chief Security Officer of Verifone, points out that, although these procedures are certainly necessary for tamper detection, “they nonetheless represent yet another complication for merchants and acquirers.”
To begin with, Majka explains, although many retailers are already tracking their device information in some form or fashion, a potential issue is that a lot may not be doing so in a manner adhering to the specific compliance requirements. If that’s the case, and a merchant’s devices — or (“more ominously,” as Majka puts it) the network connecting them — are tampered with, they could be left on the hook for substantial liability.
As Majka points out, card skimming — the criminal activity of capturing payment card data by replacing legitimate payment devices with fraudulent ones — has impacted merchants “ranging from the smallest single-shop operators, to some of the largest, most well-known retail chains.” Despite protective efforts made in terms of visual monitoring (“a key requirement” in combating skimming, says Majka), the more skilled cybercriminals are nevertheless able to switch equipment and add skimmers, operating undetected for long periods of time.
How do they do get those phony devices in place to begin with? Majka observes that it’s stated plainly in the PCI DSS 3.1 requirements: “Criminals will often pose as authorized maintenance personnel in order to gain access to point of sale devices.”
Even though PCI DSS 3.1 establishes a number of processes for enforcing visual inspection, training employees on tamper detection, and procedures for using third parties to maintain devices, “the human element,” remarks Majka, “is unfortunately always the weakest link,” regardless of what policies have been implemented.
He points out that Verifone “has been working for years to make payment device estate management simpler and less costly.” The company’s view, Majka explains, is that making device registration and monitoring “fast and easy” and enabling remote, centralized management of thousands of devices can allow merchants to avoid the high costs and complexity of local control.
“We believe that remote, centralized management should incorporate a unique ‘heartbeat’ feature,” he adds, “to regularly monitor the status of devices within an estate, which functions to provide real-time alerts via dashboard or email notification of suspect activity.”
Because cybercriminals often replace legitimate payment devices with fraudulent ones that look identical to the original equipment, visual detection — manually comparing serial numbers — was previously the primary means of defense in those cases. The “heartbeat” feature, however, alerts personnel to deactivate one or more devices if tampering is detected or a device goes missing.
“We’ve long argued that security should be multilayered — incorporating EMV, end-to-end encryption and the decoupling of sensitive payment data from the point of sale,” concludes Majka. “In the case of enforcing Section 9.9 of PCI DSS 3.1, we believe that the use of automated and remote terminal estate management technology can substantially boost the effectiveness of manual inspection processes.”
Joe Majka, Vice President and Chief Security Officer, Verifone
Majka is responsible for leading Verifone’s global security operations. His areas of security oversight include products, services, hardware, facilities and emerging risk. He has more than 30 years of experience in the financial services sector, managing security, fraud, cybersecurity and data breach incident response. Joe has managed electronic payment fraud for Visa and is considered one of the leading industry experts in the industry.
For nearly two decades, Joe has spoken internationally on the subject of cybercrime and payment card fraud, and he has testified before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.